Internal Audit Report on Capital Division – Rule Making

Document Properties

  • Type of Publication: Audit
  • Date: November 2012

1. Background

Introduction

Internal Audit conducts assurance work to determine whether the Office of the Superintendent of Financial Institutions Canada’s (OSFI’s) risk management, control, and governance processes, as designed and represented by management, are adequate and functioning in a manner to ensure risks are appropriately identified and managed, and to ensure compliance with such requirements as policies, plans, procedures and applicable laws and regulations.

An audit of Capital Division was approved by the OSFI Audit Committee and the Superintendent for inclusion in the OSFI 2012-13 Internal Audit Plan.

This report presents the results of that audit based on audit work completed at the end of September 2012. The audit recommendations will support the Capital Division to continuously improve their control framework for Rule Making.

This report was presented to the OSFI Audit Committee and approved by the Superintendent on November 23, 2012. The Assistant Superintendent, Regulation Sector, and Capital Division Senior Management, who have provided their management comments within this report, have also reviewed it.

Context

The Capital Division under the Regulation Sector is responsible for setting rules and related prudential standards for capital that FRFIs are required to hold.

The Capital Division, headed by a Senior Director, is organized by Banking (Deposit Taking Institutions) and Insurance (Life Insurance, and Property and Casualty Insurance) under Managing Directors.

This year, Capital Division formed a new group called “Quantitative Analysis” to address the increasing need for OSFI to proactively understand and quantify risk and the impact of its capital policies. Additionally, Capital Division formed the “Insurance Models and Mortgage Insurance” group to address the volume and higher profile of insurance model work. A new resource was added to the group due to OSFI’s added regulatory responsibilities related to Canada Mortgage and Housing Corporation.

Capital Division supports OSFI’s mandate by undertaking the following four main objectives and related activities:

  1. Rule Making ensures that:
    1. OSFI’s capital rules and related prudential standards and guidelines are timely, clear and relevant, appropriately reflect industry and market practices, meet or exceed international minimums and are developed using an appropriate consultation process;
    2. An appropriate balance exists in rules between safety and soundness while taking into account the need to have a competitive environment in which federally regulated financial institutions (FRFIs) can succeed; and
    3. It contributes to the development of international regulations, standards, and rule-making through its participation in international prudential regulation for such entities as the Basel Committee on Banking Supervision (BCBS) and the International Association of Insurance Supervision (IAIS).
  2. Supervisory Support contributes to the Supervision Sector (Supervision) risk assessment and intervention process by:
    1. Providing expert advice and ad-hoc on-site support on capital issues; and
    2. Transferring knowledge to Supervision staff
  3. Capital Model Approvals contribute to the regulatory capital model approvals by verifying that:
    1. The internal capital model to be used by FRFIs addresses the key requirements of the capital rules;
    2. Supervision approvals consistently interpret and apply the capital rules; and
    3. At the time of the approval, sufficient capital exists to protect depositors and policyholders when unexpected losses occur.
  4. Capital Precedents contribute to OSFI’s capital instrument review process by:
    1. Assessing the quality of capital proposals that raise policy or precedent-setting issues; and
    2. Ensuring that capital instruments of a precedential nature meet OSFI’s mandate to advance and administer a regulatory framework that contributes to public confidence in a strong, stable and competitive financial system.

The last audit Internal Audit completed in Capital Division was the Capital Precedents Framework (design) audit (October 2006).

2. Audit Objective, Scope and Approach

Audit Objective

The objective of the audit was to provide reasonable assurance of:

  • The design effectiveness of the Capital Division Rule Making process, which consists of a five-phase “life cycle”: (1) initial analysis and policy, (2) approval to proceed, (3) guidance (rule development), (4) consultation with industry, and (5) distribution (publishing), used for maintaining capital instrument rule guidance.
  • How well and the degree to which the Capital Division Rule Making:
    • Framework (process) and related procedures and aids/tools are understood by staff, in place and functioning as intended (operations);
    • Process incorporates the input received from and consultation held with Supervision, other Regulation Sector divisions, and the respective industry and international groups, as appropriate; and
    • Decisions made, and letters, advisories and guidance developed are communicated within OSFI and to the relevant industry stakeholders.

Audit Scope

Internal Audit selected Capital Division Rule Making for its review due to the activity’s importance to OSFI’s mandate, as capital rules and related prudential standards and guidelines are foundational to the way OSFI regulates and supervises FRFIs, and due to the increasingly volatile, complex and globalized nature of rule-making.

The audit covered rule-making activities for Deposit Taking Institutions, Life Insurance companies, and Property and Casualty Insurance companies and was assessed based on Capital Division’s November 2010 Rule Making Framework, as well any improvements made, underway or planned, since that time.

The audit focused on the underlying Rule Making and Expedited Rule Making processes and related procedures and aids/tools used for the period from January 1, 2011 to July 31, 2012, and included published and in-progress rules, prudential standards, and guidance.

Rule-making guidance is broken into:

  • A minor clarification letter
  • A major clarification advisory
  • A minor change policy advisory
  • A major change policy guidance

Scope Exclusions

Matters outside of the scope of this audit include:

  • Other Capital Division activities involving Supervision support in areas such as capital models approval and institution risk assessment and intervention, and Regulation support in capital precedents approvals;
  • Capital Division’s participation in international regulation making, standards and rule-making activities outside of the Rule Making process; and
  • Review of the supporting IT system (Electronic Document Management System) and related security.

Audit Approach

The audit was conducted in accordance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, consistent with the Treasury Board Policy on Internal Audit.

The audit criteria used, as set out in Appendix 1 – Audit Evaluation Criteria, were structured into three sections consistent with the Government of Canada directives for reporting on risk management, governance and control processes and formed the basis for assessing the Capital Division Rule Making process and its application. These criteria incorporated the following Government of Canada and OSFI policies, directives and guidance:

  • Risk Management Policy (Government of Canada)
  • Policy on Internal Control (Government of Canada)
  • Management Accountability Framework (Government of Canada)
  • Corporate Records Policy and Information Management (OSFI)
  • Use of Electronic Document Management System (OSFI)

The audit also incorporated the Treasury Board Secretariat, Internal Audit Sector “Core Management Control Framework” guidance and internationally recognized Committee of Sponsoring Organizations of the Treadway Commission (COSO) control framework, as adapted to OSFI’s business and risk environment.

In applying the audit criteria, Internal Audit looked for the existence of the control criteria and whether they had been operationalized (i.e. in place, communicated, understood, and implemented).

The audit involved three methods of examination:

  1. A review of the Rule Making Framework (process and related procedures and aids/tools) used to manage capital rule-making.
  2. A review of the application of the Rule Making Framework and supporting information and documents used during the five-phase lifecycle:
    1. A walkthrough of the process and a detailed review of a representative sample of Deposit Taking Institutions, Life Insurance and Property and Casualty Insurance rule-making files;
    2. A review of management oversight, reporting and communications at meetings of the Capital Division, Regulation Sector and to Executive Committee members, as appropriate; and
    3. A review of the respective roles and accountability identified within the rule-making process.
  3. Interviews with:
    1. The Senior Director, Capital Division, and Managing Directors of Capital Division’s Banking and Insurance, and related staff;
    2. The Assistant Superintendent, Regulation Sector, and the Superintendent;
    3. Supervision Sector management and staff involved in rule-making; and
    4. Enterprise Risk Management, Human Resources, and Communications management in terms of their support to the Capital Division.

The audit work was conducted on a collaborative basis. The results of the reviews and interviews were combined to ensure a balanced assessment of the Capital Division in providing rule-making services.

3.  Conclusion

Conclusion

The Capital Division Rule Making Framework is appropriately designed and, based on our sample tests, being applied appropriately to ensure rule-making is completely and accurately processed and decisions made are reviewed and approved with supporting information and documentation.

We found within the Rule Making Framework effective policy, procedures and practices over planning, and the development and issuance of guidance. For example:

  • The Capital Division prepares comprehensive rule-making plans and priorities annually that are directly tied to OSFI’s corporate planning process and its annual plans and priorities document.
  • The Capital Division management team meets bi-weekly to review the status of rule-making projects, share best practices and exchange information from meetings with industry associations as well as attendance at technical and industry conferences.
  • In addition, the Senior Director, Capital Division, updates the Assistant Superintendent, Regulation Sector, and the Superintendent on possible rule-making issues and the status of current rule-making projects. In turn, they communicate emerging capital rule issues or questions raised by institutions and industry groups to the Senior Director.
  • The Framework includes a comprehensive policy and defined phases of rule-making and incorporates a strong phase-by-phase review and approval of the work. The Capital Division provides extensive on-the-job training as well as training through targeted research work and technical conferences.
  • The capital rule-making process incorporates core values of clarity, transparency and timely release in the development of capital rules. There are internal consultations with the Supervision Sector and the other Regulation divisions as well as extensive informal, direct and public consultation with external stakeholders. In addition, OSFI’s participation in industry conferences and association meetings provides the fora for the exchange of forward-looking views and challenges ahead.

As outlined in this report, there are two areas that need the attention of management:

  • Keeping the currency of files on the central Electronic Document Management System throughout the rule-making process; and
  • Strengthening the Division’s risk assessment process and updating its risk register.

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with management. The opinion is applicable only to the entity examined.

The evidence was gathered in compliance with Treasury Board policy, directives and standards on internal audit, and the procedures used meet the professional standards of the Institute of Internal Auditors. The evidence has been gathered to be sufficient to provide senior management with the proof of the opinion derived from the internal audit.

We wish to recognize the excellent collaboration throughout the audit, especially management briefings on the process followed and timely access to the supporting information and documents.

Line for Chief Audit Executive Signature_________________________________
Chief Audit Executive, IA

Line for Date_________________________________
Date

4. Management Response

Overview

This report has been reviewed by the Senior Director, Capital Division, and the Assistant Superintendent, Regulation Sector, who acknowledge its observations and recommendations.

The recommendations will support the Capital Division in keeping the currency of rule-making information and documents in OSFI’s centralized Electronic Document Management System, and strengthening its Rule Making Framework guidance in risk management.

Responses / Comments

The Capital Division wishes to express its many thanks to the audit team for the professional, clear, and transparent way in which they conducted their audit. We agree with the recommendations of the audit team and will implement them by December 31, 2012.

5.  Observations and Recommendations

Observation 1
Currency of capital rule information and documents

Based on our review of the Capital Division Rule Making Framework and our sample test results, we found that the Framework design and its application are appropriate to ensure rule-making is completely and accurately processed and decisions made are reviewed and approved with supporting information and documentation. The application of the Framework demonstrated the core values of clarity, transparency and timeliness in developing and publication of capital rule guidance.

However, in our review we noted that some research, background documents, and correspondence on active rule-making files are saved on staff computers and transferred to EDMS, OSFI’s Electronic Data Management System, when the file is less active (i.e. near completion) or finalized.

Furthermore, we noted that some Capital Division staff access EDMS through Livelink Explorer (Explorer), rather than through EDMS Browser (Browser), where the main file is located. While this was an acceptable practice in the past, this has become an issue since the office-wide migration to Windows 7, as Explorer no longer synchronizes with the Browser automatically for new versions of existing files. As a result, multiple versions of the same file may exist independently from the main file on the Browser.

Based on our discussions with IM/IT, users of Explorer must manually synchronize the Browser each time a new file version is created or updated. However, based on our discussions with management, Capital Division staff was not aware of these additional procedures. That means that staff sharing files throughout the rule-making process may not be accessing the most current version if the files were not synchronized with the EDMS Browser.

As a result, rule-making information, including the record of decisions made throughout development, may not be readily available, current, or could be compromised, affecting the timely production of capital rules and future rule development.

IA recognizes that Capital Division management responded immediately to the concern of the currency of files on the Browser by advising Capital Division staff of the importance of saving rule-making files in a timely manner onto the Browser, and providing instructions to ensure files in both the Livelink Explorer and EDMS Browser files are up to date.

Recommendation:

The Capital Division should establish a closing file or post-publication “closing of file checklist” whereby management confirms that all relevant information related to rule-making has been filed in the Livelink Explorer and the EDMS Browser to provide a complete record of the rule-making process and decisions made throughout its development. We have shared a rule- making assessment checklist used during our audit as a starting point for designing a “closing of file checklist”.

Management Action Plan:

We are pleased that the audit team identified a Livelink/EDMS issue, which arose as a result of the office–wide migration to Windows 7. We were not aware of this issue prior to the audit and have taken immediate action to ensure past and future files are entirely synchronized between Livelink and EDMS.

On a go-forward basis, to further ensure files on the Electronic Data Management System are current, we will implement the file closing check list provided by the audit team. This procedure will be effective as of November 1, 2012.

Observation 2
Completeness of Capital Division’s risk register

OSFI implemented an Enterprise Risk Management (ERM) policy and process to identify, assess and mitigate its risks. Using the ERM guidance, individual divisions, such as the Capital Division, complete risk assessments, which are then consolidated into sector-level risk assessments (e.g. Regulation Sector), and finally, into an OSFI-level risk assessment.

During our review of Capital Division’s risk assessment process for rule-making, we noted that management reviews key risk areas and actions taken monthly through various levels of management meetings, including meetings with the Assistant Superintendent, Regulation Sector. We also noted that the Division conducts formal risk reviews annually by updating its risk register and reporting on key risks to senior management as part of corporate planning and priority setting.

Although we noted that the Capital Division Risk Register follows the ERM guidance, we identified other risks that we believe are relevant and important to rule-making, but were not in the Risk Register, specifically the information and management process, key internal control process, stakeholders, direct and indirect influencers and values. Furthermore, while we noted that the Rule Making Framework incorporated key controls to address the identified risks, we noted that the Risk Register did not reflect all of the Framework’s key controls.

Without identifying all relevant risks and mapping them to rule-making controls (e.g. policies, procedures, practices), the full extent and scope of risks associated with rule-making may not be identified and assessed, potentially impacting the Capital Division’s ability to ensure timely, clear and relevant publication of capital rules and related prudential standards, although the audit did not observe any deficiencies in these matters.

IA notes that OSFI has two initiatives underway that should provide additional guidance to Capital Division in completing its risk assessment. These include updated ERM guidance related to completion of risk registers and a draft Enterprise-wide Internal Control (EWIC) framework, which provides further guidance on risk and control assessment.

During the audit, IA worked with the Capital Division on risk assessment tools to identify risks relevant to rule-making (using ERM guidance) and to map them to a generic control structure (COSO-based) and draft impact statements (using draft EWIC guidance). These tools were useful in evaluating the rule-making control structure and the underlying processes, activities and practices. We support the Capital Division in incorporating these risk assessment tools into its Rule Making Framework.

Recommendation:

The Capital Division should update its risk assessment to include all relevant risks and controls and update its risk register as appropriate.

Management Action Plan:

As recommended by the audit team, the Capital Division will update its risk assessment that will also document risk controls. This will be done using the risk assessment tools used in the context of the audit, namely the COSO-based generic control structure and impact statement (using draft EWIC guidance). This will be completed by December 31, 2012.

We will ensure that this detailed risk framework is incorporated into the Regulation Sector risk framework. The timing will be determined in consultation with owners of the ERM and EWIC processes.

Appendix 1: Audit Evaluation Criteria

Capital Division Rule Making Audit Evaluation Criteria
Element Components
Risk Management
1. Risk Management
  • External and internal risk related to Capital Rule Making is identified and assessed; mitigation/controls are in place, consistent with ERM policy.
  • A structure exists for monitoring and managing risk/issues as to the comprehensiveness, thoroughness and currency of risk information, assessments and reporting.
Governance
2. Operating Environment
  • Roles, accountabilities and responsibilities related to rule-making at the Executive, Regulation and Supervision Sectors are defined and communicated to management and staff.
  • Adequate resources are available to support Rule Making.
  • Technical and competencies, including the required formal and informal training necessary to maintain knowledge levels and needed expertise, are set out.
  • Rule Making reflects values of transparency, clarity and timeliness in internal and external communications.
3. Objective Setting
  • Rule Making objectives, plans and priorities are:
    • Defined and communicated to management and staff;
    • Aligned with and support OSFI’s objectives (and plan and priorities);
    • Aligned with management reporting and performance measurement;
    • Aligned with relevant Government of Canada and regulatory policies, directives, standards and guidance as appropriate.
  • Risk management and risk tolerance practices have been established for rule-making.
4. Information & Communication, Monitoring & Management Reporting
  • Rule Making information and performance measures are defined and incorporated into Capital Division, Regulation Sector and Executive briefings and reports.
  • Management reporting practices and tools, such as weekly project updates to the Assistant Superintendent and quarterly reports to Executive are in place to monitor progress against plan, identify risks to the plan and allow adjustments to be made.
  • A continuous improvement process exists to monitor and report on:
    • Achieving Rule-Making objectives;
    • Adherence to Rule-Making processes and practices (non-compliance);
    • Areas for improvement;
    • Adequacy of resources to support Rule Making.
  • Management reporting practices and tools are in place to monitor progress against management and staff technical and competencies development and training programs.
  • A Corporate Memory is incorporated into Rule Making and maintained through the capture of information in EDMS and other internal systems.
Controls
5. Process and Control Activities
  • A management oversight process exists over Rule Making.
  • Processes exist that set out:
    • Procedures and activity requirements for the five phases of rule-making:
      1. Initial policy analysis;
      2. Approval of action to be taken;
      3. Guidance – clarification of existing guidance or a change to OSFI policy with new guidance;
      4. Consultation with the respective industry
      5. Distribution – publication of the guidance;
    • Key deliverables and related timelines (calendar);
    • Communication protocol with internal and external stakeholders that reflects OSFI’s values of transparency, clarity and timeliness.